CoreELEC as a (wireguard) Gateway?

Recently noticed that CoreELEC provides both connmanctl (howto within)and wireguard, which makes it real easy to setup wireguard.

It would be the cats pyjamas if one could use coreelec as a gateway for the whole network, but for now I’ll just test it one device.

However, if I specify my coreelec’s ip as gateway, I can’t ping anything but the local network.

I looked around and saw that one can turn off iptables, with systemctl mask iptables, but when I look afterwards by iptables -S, I get:

 -P INPUT ACCEPT
-P FORWARD DROP
-P OUTPUT ACCEPT
-N DOCKER
-N DOCKER-ISOLATION-STAGE-1
-N DOCKER-ISOLATION-STAGE-2
-N DOCKER-USER
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -o br-d56944dbece8 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-d56944dbece8 -j DOCKER
-A FORWARD -i br-d56944dbece8 ! -o br-d56944dbece8 -j ACCEPT
-A FORWARD -i br-d56944dbece8 -o br-d56944dbece8 -j ACCEPT
-A FORWARD -o hassio -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o hassio -j DOCKER
-A FORWARD -i hassio ! -o hassio -j ACCEPT
-A FORWARD -i hassio -o hassio -j ACCEPT
-A DOCKER -d 172.18.0.2/32 ! -i br-d56944dbece8 -o br-d56944dbece8 -p tcp -m tcp --dport 9000 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-d56944dbece8 ! -o br-d56944dbece8 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i hassio ! -o hassio -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-d56944dbece8 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o hassio -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN

What do I have to change to being able to use coreelec as a wireguard gateway?
(preferably with iptables on)

Thanks!

Docker writes their own iptables rules. But what you probably need are own iptables rules. I need those for my Debian Server too.

Yes. I read that in:
/etc/iptables/README

To create your own set of Netfilters you can save your rules in:

/storage/.config/iptables/rules.v4 for ipv4
/storage/.config/iptables/rules.v6 for ipv6

To modify tables, edit with nano then save with:

iptables-save >/storage/.config/iptables/rules.v4
ip6tables-save >/storage/.config/iptables/rules.v6

However, what would these iptables be?
Something like:
iptables -A INPUT -s 192.168.0.45/32 -j ACCEPT
#firstgooglehit

Depends on your setup. The Arch wiki is a good ressource: https://wiki.archlinux.org/index.php/WireGuard

Wireguard is running fine, it’s the iptables (most probably) that stops me from using the n2 as a gateway on the same network 192.168.1.3 and pc on 192.168.1.2. :confused:

If I set my pc static as:
192.168.1.2
255.255.255.0
Gateway: 192.168.1.3
DHCP: 192.168.1.1

Then I can only ping local network, no even 8.8.8.8.

But you need to forward your traffic. Iptables is used for that. That’s why your docker uses it too. But you can disable iptables in the CE settings.

Should it not be enough to state ones gateway?

When I turn off iptables as it says in the README:
systemctl mask iptables

And when I:
iptables -S:

-P INPUT ACCEPT
-P FORWARD DROP
-P OUTPUT ACCEPT
-N DOCKER
-N DOCKER-ISOLATION-STAGE-1
-N DOCKER-ISOLATION-STAGE-2
-N DOCKER-USER
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -o br-d56944dbece8 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-d56944dbece8 -j DOCKER
-A FORWARD -i br-d56944dbece8 ! -o br-d56944dbece8 -j ACCEPT
-A FORWARD -i br-d56944dbece8 -o br-d56944dbece8 -j ACCEPT
-A FORWARD -o hassio -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o hassio -j DOCKER
-A FORWARD -i hassio ! -o hassio -j ACCEPT
-A FORWARD -i hassio -o hassio -j ACCEPT
-A DOCKER -d 172.18.0.2/32 ! -i br-d56944dbece8 -o br-d56944dbece8 -p tcp -m tcp --dport 9000 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-d56944dbece8 ! -o br-d56944dbece8 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i hassio ! -o hassio -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-d56944dbece8 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o hassio -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN

However, I am at a loss here with iptables, since it seems to stop anything.

As you can see it sets INPUT to accept so your “mask command” works. But you have Docker and it sets forward and also nat rules otherwise those dockers would not be accessible.

With vpn or wireguard it’s the same you need to set nat and forwarding otherwise it will not work.
OpenVPN does that automatically but wireguard is very raw. Debian or Ubuntu have helper scripts like wg-quick for that.

Yes, but here it chokes on ‘shopt’ (see thread).

Well than this needs fixing. Otherwise no routing and no nat meaning no network connection.

1 Like

Found a script that looks to have interesting(?) iptables.
numbersigndiggingblind

I mean, wireguard works real great behind those walls, traffic ticks on in the ifconfig wg section, but it leaves some points on the wishlist as you say.

From said scripture:

iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o $EXT_NET_IF -j TCPMSS --clamp-mss-to-pmtu
ip6tables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o $EXT_NET_IF -j TCPMSS --clamp-mss-to-pmtu
iptables -t nat -A POSTROUTING -o $EXT_NET_IF -j MASQUERADE
iptables -A FORWARD -i %i -j ACCEPT
ip6tables -A FORWARD -i %i -j ACCEPT
iptables -D FORWARD -i %i -j ACCEPT
ip6tables -D FORWARD -i %i -j ACCEPT
iptables -t nat -D POSTROUTING -o $EXT_NET_IF -j MASQUERADE
iptables -t mangle -D POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o $EXT_NET_IF -j TCPMSS --clamp-mss-to-pmtu

ip6tables -t mangle -D POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o $EXT_NET_IF -j TCPMSS --clamp-mss-to-pmtu

I sort of understand that this demands a goat, a new moon, an old nicotinestained ibm mech keyboard and sage.

@danielpub:

Maybe the little manual to turn CoreELEC into a zerotier gateway can help you, the full article is here.

It tries to include the following command lines in CoreELEC (I do this in /storage/.config/autostart.sh)

echo 1 > /proc/sys/net/ipv4/ip_forward
(this is required, default ip_forward in CoreELEC is 0)

iptables -A FORWARD -i ztc3quell2 -o eth0 -j ACCEPT
(everything coming from the zerotier interface to eth0 domain IPs are accepted)

iptables -A FORWARD -i eth0 -o ztc3quell2 -m state --state ESTABLISHED,RELATED -j ACCEPT
(no one with an IP in the eth0 domain can initiate a conversation destined for zerotier but can converse with previously established communications from zerotier)

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
(mask everything that comes out of eth0)

route add -net 192.168.8.0 netmask 255.255.255.0 gw 10.10.10.12
(allows to find a remote IP in another domain 192.168.8.0/24 whose gateway is other remote zerotier device with IP 10.10.10.12)

I did something like this as a project for my Raspberry Pi 4 with Pihole, Unbound and Wireguard (as a client for a Wireguard server on my VPS) installed on a gateway interface. The said gateway should be on a different subnet than the one you are using to connect the device to the internet. It involves using dnsmasq, hostapd and dhcpcd. The only iptables rule that you have to add is the one that accepts input traffic from the gateway interface (wg0) then outputs to the internet (etho). Then lastly, ip forwarding via net.ipv4.ip_forward=1.

The overview is, you host an AP (hostapd) on a wireless interface (wlan0) with a specific static IP/subnet (dhcpcd). Clients connect to it and are given DHCP addresses from that subnet (dnsmasq). Then the traffic is forwarded from that interface to the internet (e.g. eth0 or another wlan).

I have no idea how to do these on CoreELEC because I’m new to it (just installed it yesterday) but I’m giving you one on how you might.

About | FAQ | Terms of Service | Privacy Policy | Legal Notice